K
Q

GAE activate-service-account from drone pipeline (drone on k8s): No key could be detected

1/18/2018

I have drone running on a k8s cluster. One of my pipelines is for a GAE application.

I've been fighting with secrets for a while. It's a bit of a mission to make my secrets available. What I ended up doing was loading my key file name and contents into drone as a pair of secrets, then in my pipeline doing this:

  - echo $GOOGLE_KEY_CONTENTS > "/etc/google-keys/$${GOOGLE_KEY_NAME}.json"

If I ls or cat then the file is there and everything seems to be in order.

I then run:

- gcloud auth activate-service-account --key-file=/etc/google-keys/$${GOOGLE_KEY_NAME}.json

And the result is:

ERROR: gcloud crashed (ValueError): No key could be detected.

The key is there and looks fine to me

I also tried:

- gcloud info --run-diagnostics

And got the following output:

Network diagnostic detects and fixes local network connection issues.
Checking network connection...
done.
Reachability Check passed.
Network diagnostic (1/1 checks) passed.

If I try to authenticate with the same key file on my local machine it works just fine.

I've also managed to authenticate to gcloud from within a drone build when the drone instance was not running in k8s, and the secret key file was in a shared volume. (Unfortunately using a volume like this on k8s is impractical because drone wants me to make the secrets available to the base system of every single cluster node, and I'm not gooing to do that)

So either the k8s system is stopping gcloud from authenticating. Or I did something wrong when loading up my key. Or something else entirely.

-- Sheena
drone
droneci
google-cloud-platform
kubernetes
secret-key

Similar Questions

Run private docker image on minikube k8s
Updating DNS record for my custom domain
Understand Service and Deployment in Kubernetes
Kubernetes dashboard is not coming

2 Answers

1/19/2018

The only way I could get it right was the following:

  1. copy all the keys to each and every node in the cluster at the same location
  2. use volumes in my drone.yml to access the directory with the keys

Note the conspicuous lack of k8s secrets and k8s volumes.

The reasons for this is that the drone agent might show up on any node (I suppose node labels could have been used if I insisted on putting the keys on just one node but I figure one node is as secure as the next in my cluster and the secrets are tiny...). So simply scp them to where they need to be.

The drone agent cant access any k8s mounted volumes. Only volumes from the base system. I suppose drone wasn't built for use with k8s

-- Sheena
Source: StackOverflow
1/18/2018

As described in this link, if you're using a service account to authenticate in applications running on Kubernetes, you need to use a secrets resource.

As described in step 5, this secret will be used as Environment Variable. The secret will be only accessible by the application where you have mounted the secret volume.

-- Marilu
Source: StackOverflow